iAnywhere.com - Starting the database server with transport-layer security

Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 10.0.1 » SQL Anywhere Server - Database Administration » Transport-Layer Security » Encrypting SQL Anywhere client/server communications

Starting the database server with transport-layer security

To start the database server with transport-layer security, supply the server identity file name and the password protecting the server's private key.

For an overview of the steps required to set up transport-layer security, see Setting up transport-layer security.

Use the -ec server option to specify the certificate and certificate_password parameters.

Following is the syntax of a partial dbsrv10 command line:

-ec tls(
tls_type=cipher;
certificate=server-identity-filename;
certificate_password=password )
-x tcpip

cipher can be rsa or ecc for RSA and ECC encryption, respectively. For FIPS-approved RSA encryption, specify tls_type=rsa;fips=y. RSA FIPS uses a separate approved library, but is compatible with SQL Anywhere 9.0.2 or later clients using RSA.
For a list of supported platforms for FIPS, see the Separately Licensed Components sections of the SQL Anywhere, UltraLite, and MobiLink tables in SQL Anywhere 10.0.1 Components by Platform.
The cipher must match the encryption (ECC or RSA) used to create your certificates.
For information about enforcing the FIPS-approved algorithm, see -fips server option.
server-identity-filename is the path and file name of the server identity file. If you are using FIPS-approved RSA encryption, you must generate your certificates using the RSA cipher.
For more information about creating the server certificate, which can be self-signed, or signed by a Certificate Authority or enterprise root certificate, see Creating digital certificates.
password is the password for the server private key. You specify this password when you create the server certificate.

You can also start the database server with simple encryption, which does not assure data integrity or provide server authentication. Simple encryption makes it more difficult for someone using a packet sniffer to read the network packets sent between the client and the server. Simple encryption is supported in previous versions of SQL Anywhere.

For more information about the -ec server option, see -ec server option.

You specify the TCP/IP protocol using the -x server option. See -x server option.

Examples

The following example uses the -ec server option to specify ECC security, the server identity file, and the password protecting the server's private key:

dbsrv10 -ec tls(tls_type=ecc;certificate=c:\test\serv1_ecc.crt; certificate_password=mypwd) -x tcpip c:\test\secure.db

You can hide the command line options including passwords using a configuration file and the File Hiding utility, dbfhide. See @data server option.

The following example uses the -ec server option to specify RSA security, the server identity, and the password protecting the server's private key:

dbsrv10 -ec tls(tls_type=rsa;certificate=c:\test\serv1_rsa.crt; certificate_password=test) -x tcpip c:\test\secure.db